Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A computer-implemented method for determining computer system security threats, the method comprising: for a plurality of user accounts, assigning a risk level to each account of the plurality of user accounts; in a time interval, for a plurality of events, applying a set of at least two different algorithms to all of the plurality of events, wherein each event is linked to a respective user account, wherein each of the at least two different algorithms is applied to all of the plurality of events and assigning an event score for each of the plurality of events relating to deviation from a normal behavior associated with each said event of the plurality of events with respect to the respective user account and based on the outcome of each of the at least two different algorithms; in the time interval, for each event of the plurality of events, calculating an event importance which is a function of the respective event score and the respective user account risk level; prioritizing each event of the plurality of events by the respective event importance; providing a record of each event of the plurality of events, prioritized by the respective event importance; providing, via a user interface, each event of the plurality of events in a user interface element, wherein the plurality of events are presented via the user interface in an order of decreasing event importance; responsive to receiving additional data, updating an event importance for a particular event of the plurality of events; and updating the user interface to reflect the updated event importance for the particular event of the plurality of events; analyzing application logs and other sources to find anomalies and suspicious activity; automatically disabling a user account in response when an anomaly is detected; and starting session recording as an automatic response when an anomaly is detected.
Computer security threat detection. This invention addresses the problem of identifying and prioritizing security threats within a computer system. The method involves assigning a risk level to each user account. For a given time period, multiple events associated with user accounts are analyzed. A set of at least two distinct algorithms are applied to all these events. Each algorithm assesses how much an event deviates from the normal behavior of its associated user account, generating an event score for each event based on the outcomes of these algorithms. The importance of each event is then calculated as a function of its event score and the risk level of its associated user account. Events are prioritized based on this calculated importance. A prioritized record of all events is generated. A user interface displays these events, ordered by decreasing importance. When new data becomes available, the importance of a specific event can be updated, and the user interface is refreshed to show this change. The system analyzes application logs and other data sources to detect anomalies and suspicious activity. As an automatic response to detecting an anomaly, a user account can be disabled, and session recording can be initiated.
2. The method of claim 1 , wherein user behavior profiles are created and are continually adjusted using machine learning.
A system and method for analyzing and adapting to user behavior in a digital environment, such as a software application or online platform, to improve user experience and system performance. The system collects data on user interactions, including actions, preferences, and patterns, to generate behavior profiles for individual users or user groups. These profiles are dynamically updated using machine learning techniques, allowing the system to refine its understanding of user behavior over time. The machine learning models may employ supervised or unsupervised learning, reinforcement learning, or other adaptive algorithms to adjust the profiles based on new data. The system may use these profiles to personalize content, optimize system responses, or predict user needs. For example, the profiles could be used to recommend products, adjust interface layouts, or preemptively address user issues. The continuous adjustment of profiles ensures the system remains responsive to evolving user behavior, improving accuracy and relevance. The method may also involve validating the profiles against new data to ensure reliability and adaptability. This approach enhances user engagement and system efficiency by tailoring interactions to individual or group behaviors.
3. The method of claim 1 , further comprising providing a web-based user interface in which activities, hosts, and user accounts may be checked and in which results are made available.
This invention relates to a system for monitoring and managing activities, hosts, and user accounts within a computing environment. The core functionality involves tracking and analyzing interactions between users, hosts, and activities to detect anomalies or unauthorized behavior. The system collects data from various sources, including user accounts, host systems, and activity logs, and applies rules or algorithms to identify deviations from expected patterns. When a potential issue is detected, the system generates alerts or notifications to administrators or security personnel. Additionally, the invention includes a web-based user interface that allows users to check the status of activities, hosts, and user accounts. The interface provides access to the results of the monitoring and analysis processes, enabling administrators to review detected anomalies, view historical data, and take corrective actions. The interface may also support filtering, searching, and exporting functionality to facilitate investigation and reporting. This web-based interface enhances usability and accessibility, allowing authorized personnel to monitor and manage security and operational aspects of the computing environment efficiently. The system aims to improve security, compliance, and operational efficiency by providing real-time insights and actionable intelligence.
4. The method of claim 1 , further comprising presenting a user interface in which (a) events are presented and ranked by their security risk importance, or (b) the plurality of user accounts are presented and ranked by their highest event security risk importance.
This invention relates to cybersecurity systems that monitor and analyze security events across multiple user accounts. The problem addressed is the difficulty in prioritizing security risks when dealing with large volumes of events and numerous user accounts, making it challenging for security teams to identify and respond to the most critical threats efficiently. The invention provides a method for presenting security events and user accounts in a ranked order based on their security risk importance. Events are collected from various sources and analyzed to determine their potential impact on system security. Each event is assigned a risk score based on factors such as severity, frequency, and potential damage. Similarly, user accounts are evaluated based on the highest-risk events associated with them, and the accounts are ranked accordingly. A user interface displays the ranked events or user accounts, allowing security personnel to quickly identify the most critical threats. The interface may include filters and sorting options to further refine the view based on specific criteria, such as event type, timeframe, or account status. This prioritization helps security teams focus their efforts on mitigating the most significant risks first, improving overall system security and response efficiency. The method ensures that both individual events and user accounts are assessed and presented in a way that highlights the most urgent security concerns.
5. The method of claim 1 , further comprising presenting a user interface in which remote IP addresses are presented and ranked by their highest event security risk importance.
A system and method for cybersecurity risk assessment and visualization involves monitoring network events to detect potential security threats. The system collects data from various network sources, analyzes the data to identify security risks, and assigns risk importance levels to different events. The system then ranks remote IP addresses based on their highest associated event security risk importance, providing a prioritized view of potential threats. This ranking helps security analysts quickly identify the most critical threats in the network. The user interface displays the ranked IP addresses, allowing users to focus on high-risk addresses first. The system may also include additional features such as filtering, detailed event analysis, and historical trend tracking to enhance threat detection and response. By prioritizing threats based on risk importance, the system improves the efficiency of cybersecurity monitoring and incident response.
6. The method of claim 1 , further comprising presenting histograms, distributions, baseline visualisation for peer groups and for an entire company based on typical behavior.
This invention relates to data visualization and analytics for organizational behavior analysis. The method provides a way to visualize and compare behavioral data across different peer groups and an entire company. It generates histograms and distribution charts to represent typical behavior patterns, allowing users to identify trends, outliers, and deviations from expected norms. The system also includes baseline visualizations that establish reference points for peer groups and the broader organization, enabling comparative analysis. These visualizations help organizations assess performance, compliance, or other behavioral metrics by highlighting differences between individual groups and the overall company. The method supports decision-making by providing clear, data-driven insights into behavioral trends and anomalies. The histograms and distributions allow for granular analysis, while the baseline visualizations offer a broader context for interpreting the data. This approach is useful for human resources, compliance monitoring, or performance management, where understanding behavioral patterns is critical. The system dynamically adjusts visualizations based on the selected scope, whether for a specific peer group or the entire company, ensuring relevant and actionable insights.
7. The method of claim 1 , further comprising building a unique profile of individual users with cooperation of a Shell Control Box (SCB) which records all user activity at an application layer.
A system and method for user activity monitoring and profiling involves tracking and analyzing individual user interactions with applications to build unique user profiles. The system includes a Shell Control Box (SCB) that operates at the application layer to record all user activity, such as keystrokes, mouse movements, application usage, and other interactions. The SCB captures detailed data on how each user engages with software, including timing, frequency, and patterns of use. This data is processed to generate a unique profile for each user, which can be used for security authentication, behavioral analysis, or personalized user experience optimization. The profiles may include metrics like typing speed, application preferences, and workflow patterns. The system ensures continuous monitoring and updates the profiles in real-time to reflect changes in user behavior. This approach enhances security by detecting anomalies in user activity and improves system efficiency by adapting to individual user habits. The SCB acts as an intermediary between the user and the applications, ensuring comprehensive data collection without disrupting normal operations. The method is applicable in environments requiring high-security monitoring, such as enterprise networks, financial systems, or government institutions.
8. The method of claim 7 in which the SCB has information on user sessions and meta information on connections and details of user activities in the user sessions.
A system and method for managing user sessions and connection metadata in a networked environment. The invention addresses the challenge of efficiently tracking and analyzing user activities across multiple sessions and connections in a secure and centralized manner. The system includes a Session Control Block (SCB) that stores detailed information about user sessions, including metadata on connections and specific details of user activities within those sessions. The SCB acts as a centralized repository, enabling real-time monitoring, logging, and analysis of user interactions. This allows for enhanced security, performance optimization, and compliance with regulatory requirements by providing a comprehensive view of user behavior and system usage. The system dynamically updates the SCB with new session data and connection details, ensuring accurate and up-to-date tracking. The invention is particularly useful in environments where detailed user activity logging is required, such as enterprise networks, cloud computing platforms, and secure communication systems. By consolidating session and connection information in the SCB, the system simplifies administrative tasks, improves troubleshooting capabilities, and supports advanced analytics for network management.
9. The method of claim 1 , wherein data may be accessed using a Representational State Transfer (REST) application programming interface (API) for integration into existing monitoring infrastructure.
A system and method for monitoring and managing industrial equipment involves collecting operational data from sensors or controllers associated with the equipment. The data is processed to detect anomalies, predict failures, and optimize performance. The system includes a data acquisition module that gathers time-series data from various sources, such as vibration sensors, temperature sensors, or control signals. A processing module analyzes the data using machine learning algorithms to identify patterns indicative of equipment degradation or potential failures. Alerts are generated when anomalies are detected, and predictive maintenance schedules are recommended based on the analysis. The system also provides a user interface for visualizing data trends, equipment health status, and maintenance recommendations. To facilitate integration with existing monitoring infrastructure, the system includes a Representational State Transfer (REST) application programming interface (API). This API allows external systems to access collected data, analysis results, and alerts in a standardized format. The REST API supports common HTTP methods (GET, POST, PUT, DELETE) for retrieving, updating, and managing data. This enables seamless interoperability with third-party monitoring platforms, enterprise resource planning (ERP) systems, or cloud-based analytics tools. The API can be configured to expose specific data points, such as sensor readings, alert thresholds, or predictive maintenance timelines, based on user permissions and system requirements. This integration capability enhances the system's flexibility and scalability, allowing organizations to leverage existing infrastructure while benefiting from advanced predictive maintenance features.
10. The method of claim 1 , wherein the system gets data from other systems including logs, audit-trails, and information on user activities.
A system collects and processes data from multiple sources to monitor and analyze user activities, system logs, and audit trails. The system aggregates this data to detect anomalies, track user behavior, and ensure compliance with security policies. By integrating logs from various systems, the system provides a centralized view of activities, enabling real-time monitoring and historical analysis. The collected data includes timestamps, user actions, and system events, which are used to identify unauthorized access, policy violations, or operational inefficiencies. The system may apply machine learning or rule-based algorithms to correlate events across different data sources, improving threat detection and response. This approach enhances security, simplifies compliance reporting, and reduces the risk of undetected breaches. The system can also generate alerts or automated responses when suspicious activities are detected, ensuring proactive security management. By consolidating diverse data streams, the system provides a comprehensive and actionable overview of system and user activities.
11. The method of claim 1 , including the system using at least two data sources, including contextual information sources and raw user activity data sources, wherein contextual information sources are one or more of: information on users, hosts, but not actual activities, or wherein contextual information sources are one or more of: Active Directory (AD), Lightweight Directory Access Protocol (LDAP), human resources (HR)-system, IT-asset database (DB), and wherein raw user activity data sources include one or more of: logs, SSB/syslog-ng/SIEM logs, SCB logs, databases logs, csv files logs, and application data through application programming interfaces.
This invention relates to a system for analyzing user activity data by integrating multiple data sources to enhance security monitoring and threat detection. The system addresses the challenge of fragmented data sources in enterprise environments, where user activity data is often scattered across different systems, making it difficult to correlate and analyze effectively. The system combines at least two types of data sources: contextual information sources and raw user activity data sources. Contextual information sources provide background details about users, hosts, and other entities without capturing actual user activities. These sources may include Active Directory (AD), Lightweight Directory Access Protocol (LDAP), human resources (HR) systems, and IT-asset databases. These sources supply metadata such as user roles, device information, and organizational structures, which are crucial for understanding the context of user activities. Raw user activity data sources capture real-time or historical records of user actions. These sources include logs from various systems, such as SSB/syslog-ng/SIEM logs, SCB logs, database logs, CSV files, and application data accessed through APIs. By integrating these diverse data streams, the system enables comprehensive monitoring, anomaly detection, and threat investigation by correlating contextual metadata with raw activity logs. This approach improves the accuracy of security analytics and reduces false positives by providing a holistic view of user behavior within an enterprise environment.
12. A system including a hardware processor, the hardware processor programmed to execute a computer-implemented method for determining computer system security threats, wherein data relating to the user accounts is accessible to the hardware processor, the hardware processor programmed to perform operations comprising: for a plurality of user accounts, assigning a risk level to each account of the plurality of user accounts; in a time interval, for a plurality of events, applying a set of at least two different algorithms to all of the plurality of events, wherein each event is linked to a respective user account, wherein each of the at least two different algorithms is applied to all of the plurality of events and assigning an event score for each of the plurality of events relating to deviation from a normal behavior associated with each said event of the plurality of events with respect to the respective user account and based on the outcome of each of the at least two different algorithms; in the time interval, for each event of the plurality of events, calculating an event importance which is a function of the respective event score and the respective user account risk level; prioritizing each event of the plurality of events by the respective event importance; providing a record of each event of the plurality of events, prioritized by the respective event importance; providing, via a user interface, each event of the plurality of events in a user interface element, wherein the plurality of events are presented via the user interface in an order of decreasing event importance; responsive to receiving additional data, updating an event importance for a particular event of the plurality of events; and updating the user interface to reflect the updated event importance for the particular event of the plurality of events; analyzing application logs and other sources to find anomalies and suspicious activity; automatically disabling a user account in response when an anomaly is detected; and starting session recording as an automatic response when an anomaly is detected.
The system is designed to detect and prioritize security threats in computer systems by analyzing user account behavior. The system assigns a risk level to each user account and monitors events linked to these accounts. During a defined time interval, multiple events are evaluated using at least two different algorithms to detect deviations from normal behavior. Each event is scored based on these deviations, and an event importance is calculated by combining the event score with the user account's risk level. Events are then prioritized by importance and displayed in a user interface in descending order. The system dynamically updates event importance as new data is received and adjusts the user interface accordingly. Additionally, the system analyzes application logs and other sources to identify anomalies and suspicious activity. When an anomaly is detected, the system can automatically disable the affected user account and initiate session recording for further investigation. This approach enhances threat detection by leveraging multiple algorithms and risk-based prioritization, improving the efficiency of security monitoring and response.
13. The system of claim 12 , wherein the system is provided as a platform product.
A system for managing and optimizing data processing workflows in cloud computing environments addresses inefficiencies in resource allocation, scalability, and cost management. The system dynamically allocates computing resources based on workload demands, reducing idle capacity and minimizing operational costs. It integrates with multiple cloud providers to enable seamless workload distribution across hybrid or multi-cloud infrastructures. The system includes a monitoring module that tracks performance metrics in real-time, allowing for automated adjustments to resource allocation. A scheduling module optimizes task execution by prioritizing workloads based on predefined criteria such as deadlines or cost constraints. Additionally, the system provides a user interface for configuring workflows, setting policies, and monitoring system performance. The platform product version of this system is designed for deployment as a standalone service, offering scalability and flexibility for enterprise use. It includes APIs for integration with third-party tools and supports custom workflow definitions. The system ensures compliance with security protocols and provides audit trails for tracking resource usage and performance. By automating resource management, the system improves efficiency, reduces manual intervention, and enhances cost-effectiveness in cloud-based data processing operations.
14. The system of claim 12 , wherein the system provides a command line interface for managing system installation and running maintenance jobs.
A system for managing software installation and maintenance tasks includes a command line interface (CLI) that allows users to control system installation processes and execute maintenance operations. The system is designed to streamline the deployment and upkeep of software applications, reducing manual intervention and improving efficiency. The CLI provides a set of commands for installing, configuring, and updating software components, as well as performing routine maintenance tasks such as system checks, backups, and error logging. The interface supports scripting and automation, enabling users to schedule and execute maintenance jobs without direct oversight. The system also includes a backend service that processes CLI commands, validates inputs, and ensures proper execution of tasks. This approach enhances reliability and reduces the risk of errors during installation and maintenance, making it suitable for enterprise environments where consistent and automated management is critical. The CLI can be integrated with existing workflows and supports various operating systems, providing flexibility in deployment scenarios.
15. The system of claim 12 , wherein Behavior Analysis as a Service (BaaaS) is provided, wherein cloud offering of the system is provided for customers who do not want to use an on-premise installation.
A system provides Behavior Analysis as a Service (BaaS) for analyzing user behavior in digital environments. The system collects interaction data from user sessions, such as clicks, navigation paths, and time spent on elements, and processes this data to generate behavioral insights. These insights help optimize user experiences, identify engagement patterns, and detect anomalies. The system includes a data ingestion module to gather raw interaction data, a processing engine to transform and analyze the data, and an output module to deliver actionable reports or alerts. The system can be deployed on-premise or as a cloud-based service, allowing customers to choose between local installation or a hosted solution. The cloud offering is designed for organizations that prefer not to manage on-premise infrastructure, providing scalability, maintenance, and accessibility without local deployment. The system supports real-time and batch processing, enabling both immediate feedback and long-term trend analysis. By centralizing behavioral data analysis, the system helps businesses improve user engagement, security, and operational efficiency.
16. The system of claim 15 , wherein through cloud integration the system is usable to compare user activities and analytics with other organizations baselines.
This invention relates to a system for analyzing and comparing user activities and analytics across different organizations using cloud-based integration. The system collects and processes user activity data from various sources, such as applications, devices, or platforms, to generate insights into user behavior, performance, and engagement. By integrating with cloud services, the system enables cross-organizational benchmarking, allowing organizations to compare their user activity metrics against industry baselines or peer organizations. This comparison helps identify performance gaps, optimize workflows, and improve decision-making based on aggregated data trends. The system may also include features for real-time monitoring, automated reporting, and customizable dashboards to visualize the analyzed data. The cloud integration ensures scalability, accessibility, and seamless data sharing across multiple users and organizations, facilitating collaborative analysis and benchmarking. The system is particularly useful for businesses, educational institutions, or any entity seeking to enhance user experience and operational efficiency through data-driven insights.
17. The system of claim 16 , wherein shared information includes one or more of: user risk histogram, algorithm parameters, algorithm weights, activity numbers, average baseline, baseline outliers, min/max/average/stddev score given by each of the at least two algorithms/baselines, false-negative activities with baselines, anonymous clusters.
A system for analyzing and comparing outputs from multiple algorithms or baselines in a risk assessment or activity monitoring context. The system addresses the challenge of integrating diverse analytical outputs to improve decision-making accuracy and reliability. It processes shared information derived from at least two algorithms or baselines, including user risk histograms, algorithm parameters, algorithm weights, activity numbers, average baselines, baseline outliers, and statistical metrics such as minimum, maximum, average, and standard deviation scores from each algorithm or baseline. The system also identifies false-negative activities with baselines and generates anonymous clusters of related data points. These shared insights enable comprehensive risk assessment, anomaly detection, and performance evaluation across different analytical models. The system enhances situational awareness by consolidating and comparing results from multiple sources, reducing discrepancies and improving the robustness of risk evaluations. This approach is particularly useful in applications requiring high reliability, such as fraud detection, cybersecurity, or behavioral analysis, where combining multiple analytical perspectives leads to more accurate and actionable outcomes.
18. The system of any of claim 12 , wherein one installation of the system can serve multiple customers, wherein database, configuration, and user interface are all separated between instances.
The system is designed for multi-tenant cloud-based software deployment, addressing the challenge of efficiently managing multiple customers with isolated data and configurations. The system enables a single installation to serve multiple customers while ensuring complete separation of databases, configurations, and user interfaces between different customer instances. Each customer operates within an independent instance, preventing data leakage or interference between tenants. The database separation ensures that customer data remains isolated, while configuration separation allows customization of settings for each instance without affecting others. The user interface separation provides distinct access points for each customer, maintaining a personalized experience. This architecture improves scalability, security, and manageability in cloud environments by consolidating infrastructure while preserving tenant isolation. The system is particularly useful for software-as-a-service (SaaS) providers needing to support multiple organizations with varying requirements.
19. The system of any of claim 12 , wherein the system is installed on a Linux system, including database servers, web-server, Initial data import, and automatic job setup.
This invention relates to a system for managing and automating tasks within a Linux-based environment, particularly for database servers and web servers. The system is designed to streamline the deployment and operation of server infrastructure by integrating initial data import processes and automatic job setup functionalities. The system ensures seamless installation and configuration on Linux systems, optimizing performance and reducing manual intervention. It includes components for handling database servers, web servers, and automated task scheduling, allowing for efficient data management and system maintenance. The system automates repetitive tasks such as data imports and job configurations, improving operational efficiency and reliability. By providing a unified framework for server management, the invention simplifies the deployment and maintenance of complex server environments, reducing the need for manual configuration and minimizing potential errors. The system is particularly useful in environments requiring high availability and scalability, such as enterprise-level applications and cloud-based services.
20. The system of any of claim 12 , wherein the system can load historical data from data sources.
The system is designed for data processing and analysis, addressing the need to efficiently manage and utilize large datasets for decision-making. It includes a data loading module that retrieves historical data from various data sources, such as databases, APIs, or file systems. The system processes this data to extract meaningful insights, enabling users to analyze trends, patterns, and anomalies over time. The data loading functionality ensures that the system can integrate historical records, allowing for comprehensive analysis that considers past events and their impact on current and future outcomes. This capability is particularly useful in fields like finance, healthcare, and business intelligence, where historical data is critical for predictive modeling and strategic planning. The system may also include additional features, such as data validation, transformation, and visualization, to enhance the usability and accuracy of the processed information. By leveraging historical data, the system provides a robust framework for data-driven decision-making, improving accuracy and reliability in various analytical applications.
21. A non-transitory computer readable storage medium executable by a processor to cause a system to perform operations for determining computer system security threats, the operations comprising: for a plurality of user accounts, assigning a risk level to each account of the plurality of user accounts; in a time interval, for a plurality of events, applying a set of at least two different algorithms to all of the plurality of events, wherein each event is linked to a respective user account, wherein each of the at least two different algorithms is applied to all of the plurality of events and assigning an event score for each of the plurality of events relating to deviation from a normal behavior associated with each said event of the plurality of events with respect to the respective user account and based on the outcome of each of the at least two different algorithms; in the time interval, for each event of the plurality of events, calculating an event importance which is a function of the respective event score and the respective user account risk level; prioritizing each event of the plurality of events by the respective event importance; providing a record of each event of the plurality of events, prioritized by the respective event importance; providing, via a user interface, each event of the plurality of events in a user interface element, wherein the plurality of events are presented via the user interface in an order of decreasing event importance; responsive to receiving additional data, updating an event importance for a particular event of the plurality of events; and updating the user interface to reflect the updated event importance for the particular event of the plurality of events; analyzing application logs and other sources to find anomalies and suspicious activity; automatically disabling a user account in response when an anomaly is detected; and starting session recording as an automatic response when an anomaly is detected.
This invention relates to computer system security threat detection and prioritization. The system analyzes user account behavior to identify and prioritize potential security threats. For multiple user accounts, each account is assigned a risk level based on factors such as historical behavior, access privileges, or other risk indicators. Within a defined time interval, the system processes a plurality of events linked to these accounts. Each event is evaluated using at least two different algorithms to detect deviations from normal behavior, generating an event score for each event. The event score reflects how anomalous the event is relative to the user account's typical behavior. The system then calculates an event importance for each event, which is a function of both the event score and the user account's risk level. Events are prioritized based on their importance and displayed in a user interface in descending order of importance. The system dynamically updates event importance as new data is received and reflects these updates in the user interface. Additionally, the system analyzes application logs and other data sources to detect anomalies and suspicious activity. When an anomaly is detected, the system can automatically disable the affected user account and initiate session recording for further investigation. This approach enhances threat detection by combining behavioral analysis with risk-based prioritization, improving the efficiency of security monitoring and response.
Unknown
June 9, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.